[Dshield] Possible Virus......??

John Sage jsage at finchhaven.com
Tue Mar 19 01:45:09 GMT 2002

I downloaded the html source and what seems to be causing a download
is this portion of the source, down at the bottom of the page:

(suitably disarmed by neutering the html... :-)

[p align=center][iFrame src="http://24k.com.tw/hotrank2.asp" width=0 height=0 scolling="NO" border="0"] 
[p align=center][iFrame src="http://att.com.tw/hotrank.asp" width=0 height=0 scolling="NO" border="0"] 
[p align=center][iFrame src="http://www.everup.com.tw/ppager" width=0 height=0 scolling="NO" border="0"]

It's an iframe deal connecting to seveal web sites in Taiwan.

When I view the actual site, or the web page saved locally on one of
my own boxes, Opera gets stuck loading the page on "Waiting for user
confirmation of cookies" -- which, of course, I never give ;-)

When I comment-out this portion of the html and reload my local copy,
the page loads instantly without wanting cookies approved.

The only other devious item seems to be that two of the buttons at the
form on the bottom of the page attempt to send an email address,
possibly one that might be available generally, depending on how one
has one's web browser configured.

I don't have Opera configured to know anything about my email address,
and with the iFrames commented out, clicking the buttons doesn't do

- John
Most people don't type their own logfiles;  but, what do I care?

On Mon, Mar 18, 2002 at 03:07:54PM -0000, James Jarvis wrote:
> Hi, 
> I just asked the person that had it and they deleted it so I can't get hold
> of the source again. I had a look earlier, and it was code sending you to a
> website. If you goto http://www.callin.net it will commence the download of
> something. If anyone has a machine that they use to test stuff on and is not
> going to affect a network atc. just go there and see what happens!
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: 18 March 2002 14:43
> To: list at dshield.org
> Subject: Re: [Dshield] Possible Virus......??
> If you have the html source, look for something like:
> [meta HTTP-EQUIV="REFRESH" CONTENT="5; URL=../index.html"]
> This tag automatically redirects the viewer to whatever url is after
> "URL= " after the number of seconds in "CONTENT= "
> This is *one* method of sending you off to an unknown web site, merely
> by viewing an html-formatted email..
> - John
> -- 
> Most people don't type their own logfiles;  but, what do I care?

More information about the list mailing list